The French Data Protection Agency CNIL (Commission nationale de l’informatique et des libertes) has ruled that Google Analytics’ use is against the GDPR. The CNIL began issuing notices to website administrators using Google Analytics.
This is in response to the January 2022 Austrian Data Protection Authority’s declaration of Google Analytics illegal under GDPR.
Google Analytics GDPR violations continue to spread throughout the EU
The Privacy Shield Framework was an agreement between the EU & the US that allowed data transfer to US-certified companies. However, many complaints have been received by the CNIL and other EU data privacy authorities regarding data transfers made during visits to Google Analytics websites.
The CNIL’s decision
The CNIL found that the use of Google Analytics by an unnamed website was not compliant with GDPR. This is because it had violated Article 44, which prohibits data transfers beyond the EU unless the recipient country can demonstrate adequate data protection.
Personal data is defined by the GDPR to include email address, race and gende or phone number. However, the less obvious identifiers are IP addresses or cookie IDs.
The CNIL’s decision was based upon the fact that the US doesn’t meet sufficient GDPR levels of data protection due to US surveillance laws. The unnamed website used Google Analytics to expose their visitors to risks when their personal data were exported to the US.
As of this writing, it’s not known if the CNIL has imposed a fine for GDPR violations. The CNIL has ordered the website manager to comply with GDPR and, if needed, to stop using Google Analytics in current conditions.
Users of Google Analytics need to take immediate action
The CNIL and EU-based data protection agencies have made clear their stance on Google Analytics. Inaction could result in fines that can reach up to 20 million EUR or 4% of an organisation’s global turnover, depending on which is higher.
Google Analytics users must take immediate actions to ensure that personal data is not transferred to the US, or to find a Google Analytics alternative that meets GDPR compliance.
Google is under EU scrutiny. Organisations that continue to use Google’s tools have to act now. We recommend our customers to switch to Matomo Analytics as an alternative to Google Analytics and close compliance gaps now. Get in touch with us to learn more about Matomo.